Defending Adversarial Attacks via Semantic Feature Manipulation

TL;DR

This paper introduces FM-Defense, a semantic feature manipulation method using a combo-variational autoencoder to detect and purify adversarial examples effectively across multiple datasets.

Contribution

It proposes a novel, attack-agnostic defense mechanism leveraging semantic feature disentanglement for adversarial detection and purification.

Findings

Detects nearly 100% of adversarial examples from various attacks.

Achieves over 99% purification accuracy on suspicious instances.

Demonstrates effectiveness across three datasets.

Abstract

Machine learning models have demonstrated vulnerability to adversarial attacks, more specifically misclassification of adversarial examples. In this paper, we propose a one-off and attack-agnostic Feature Manipulation (FM)-Defense to detect and purify adversarial examples in an interpretable and efficient manner. The intuition is that the classification result of a normal image is generally resistant to non-significant intrinsic feature changes, e.g., varying thickness of handwritten digits. In contrast, adversarial examples are sensitive to such changes since the perturbation lacks transferability. To enable manipulation of features, a combo-variational autoencoder is applied to learn disentangled latent codes that reveal semantic features. The resistance to classification change over the morphs, derived by varying and reconstructing latent codes, is used to detect suspicious inputs. Further, combo-VAE is enhanced to purify the adversarial examples with good quality by considering both class-shared and class-unique features. We empirically demonstrate the effectiveness of detection and the quality of purified instance. Our experiments on three datasets show that FM-Defense can detect nearly $100\%$ of adversarial examples produced by different state-of-the-art adversarial attacks. It achieves more than $99\%$ overall purification accuracy on the suspicious instances that close the manifold of normal examples.